If files have been modified on your server, or files have been uploaded for instance, you can check the timestamps on those files to find out when the attacker was on your site. This is typical in the case of sites being defaced or malicious code being injected somewhere. Most of the time, the attacker will have gained access to your site shortly before modifying or uploading files to it.

By checking your access logs for the period around that time, you may find some clues as to how the hacker gained access and which IP address the attack came from, thus enabling you to track down things more easily in the logs.

Here are some simple shell commands you can use to spot down possible trouble spots. Let's say, that you suspect, that the site was hacked in past 4 days, so you need to focus mainly on the files changed on that time period. All you need to do is to log in to your server, use the shell access usually provided with good hosting accounts, and use the find command to find out which files have been changed recently.

This command will list all files in the current folder where the file modification time (mtime) is less than four days old:

find . -mtime -4

This command will list all files in the current folder where the last change of file status (ctime) happened less than four days ago:

find . -ctime -4

This command will list all files changed at least one day ago but less than four days ago:

find . -ctime +1 -a -ctime -4

You can also try searching for suspicious POST requests made to for instance non-form addresses on your site.